FreeBSD 6.0RC1 - pf and big tables, pfspamd
solinym at gmail.com
Tue Oct 25 03:11:46 PDT 2005
> Is there a possibility to abuse pf in the following fashion?
> rdr inet proto tcp from a.b.c.d/32 [if dnsquery d.c.b.a.list.dsbl.org
> == 127.0.0.2] to any port smtp -> 192.168.0.100 port 8025
Disclaimer: I don't speak for anyone.
It would be nice, but then they'd need to link the resolver library
into the kernel, and the kernel would block when doing lookups*, which
is probably unacceptable. Or are you talking about doing the lookups
when the rules are loaded?
If that's the case, you can just preprocess the rules file and do your
[*] Unless you get tricky and do kernel preemption.
More generally, it'd be nice if we could hook routing decisions to
userland programs, but then the kernel has to make its decisions in
to schedule a userland program and run it, you'd have to save your
place and come back...
I recently proposed on the pf mailing list that pf actually be a
virtual machine which runs a simple program, then we could do lots of
fancy optimization, and maybe JIT compilation of rules. There was
talk of checkpoint having a patent on something similar (see the
pf at benzedrine.cx archives for URL to the patent). Seems
straightforward though, as bpf already does something like this, I
wonder if that counts as prior art.
"We already have enough fast, insecure systems." -- Schneier & Ferguson
GPG fingerprint: 50A1 15C5 A9DE 23B9 ED98 C93E 38E9 204A 94C2 641B
More information about the freebsd-pf